* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Circuit principles and weak pigeonhole variants
Model theory wikipedia , lookup
Peano axioms wikipedia , lookup
Foundations of mathematics wikipedia , lookup
Propositional calculus wikipedia , lookup
Mathematical proof wikipedia , lookup
Mathematical logic wikipedia , lookup
Naive set theory wikipedia , lookup
Axiom of reducibility wikipedia , lookup
Interpretation (logic) wikipedia , lookup
Non-standard analysis wikipedia , lookup
List of first-order theories wikipedia , lookup
Computable function wikipedia , lookup
Kolmogorov complexity wikipedia , lookup
Combinatory logic wikipedia , lookup
History of the function concept wikipedia , lookup
History of the Church–Turing thesis wikipedia , lookup
Law of thought wikipedia , lookup
Circuit principles and weak pigeonhole variants Chris Pollett Norman Danner 214 MacQuarrie Hall, Department of Computer Science San Jose State University One Washington Square, San Jose CA 95192. Email: [email protected] Department of Mathematics and Computer Science Wesleyan University Middletown, CT 06549-0128 Email: [email protected] Abstract This paper considers the relational versions of the surjective and multifunction weak pigeonhole principles for PV , Σb1 and Θb2 -formulas. We show that the relational surjective pigeonhole principle for Θb2 formulas in S21 implies a circuit block-recognition principle which in turn implies the surjective weak pigeonhole principle for Σb1 formulas. We introduce a class of predicates corresponding to poly-log length iterates of polynomial-time computable predicates and show that over R22 , the multifunction pigeonhole principle for such predicates is equivalent to an “iterative” circuit block-recognition principle. A consequence of this is that if R32 proves this circuit iteration principle then RSA is vulnerable to quasi-polynomial time attacks. Keywords: Bounded arithemtic, circuit lower bounds, pigeonhole principle, RSA, cryptography. 1 Introduction The weak pigeonhole principle (WPHP ) states that given a function from a set of size n2 into a set of size n, there are two elements in the domain that map to the same element in the range. This principle gives one the ability to do a limited amount of counting with regard to the function in question. The weak pigeonhole principle has been used in the context of propositional proof complexity to define sequences of true formulas which do not have short resolution or constant depth Frege proofs (Ajtai 1994, Beame, Impagliazzo, Krajı́ček, Pitassi, Pudlák & Woods 1992). It has also been well-studied in the context of first order logic. Here one adds the principle for some class of relations—for instance, the p-time computable relations or the ∆0 relations—to a weak system of arithmetic and considers what new results are provable in the strengthened system. An early result of this type is that I ∆0 +WPHP (∆0 ) proves there are infinitely many primes (Paris, Wilkie & Woods 1988). The pigeonhole principles in both contexts are intimately related via well known translations of first order bounded arithmetics into sequences of propositional proofs (Paris & Wilkie 1985, Krajı́ček & Pudlák 1990). c Copyright 2005, Australian Computer Society, Inc. This paper appeared at Computing: The Australasian Theory Symposium (CATS 2005), Newcastle, Australia. Conferences in Research and Practice in Information Technology, Vol. 41. Mike Atkinson and Frank Dehne, Ed. Reproduction for academic, not-for profit purposes permitted provided this text is included. Besides the traditional injective pigeonhole principle described above, many other flavors have been considered in the literature. These include the surjective pigeonhole principle which says that there is no surjective function from a set of size n onto a set of size 2n, the bijective pigeonhole principle which combines the injective and surjective principles, and the multifunction pigeonhole principle which is like the injective principle but defined in terms of multifunctions rather than just functions. In weak theories of arithmetic it might not be provable that these pigeonhole notions coincide. Recently, Jeřábek (2004, §3) has shown that the surjective pigeonhole principle for p-time functions is connected with circuit lower bounds. He shows that in bounded arithmetic S21 the surjective weak pigeonhole principle for p-time functions is equivalent to the statement that for each fixed k > 0 there is a string of length 2nk which is hard for circuits of size nk . Here S21 is a theory which roughly has length induction for NP predicates. Given this result it is natural to ask whether the other forms of the pigeonhole principle can be connected to circuit principles. Jeřábek’s result was for the pigeonhole principle expressed using p-time functions so it is further natural to try to extend his results to the case where the surjection is expressed as the graph of a function rather than by a function symbol, thereby allowing consideration of functions more complex than p-time. Razborov (1995, App. C) has argued that Shannon’s counting argument cannot obviously be formalized in S21 . As a consequence, S21 cannot, at least in a direct way, formalize Kannan’s result (Kannan 1982) that there is a set in NEXPNP that is not in P/poly. To a large degree, these statements are consequences of Parikh’s Theorem which shows that S21 cannot define functions of super-polynomial growth. Nevertheless, it is open whether S21 can prove a “weak Kannan result”—the existence of sets Ak which require circuits of size greater than nk for each fixed k. It is also still open whether, if for one fixed set A defined by a bounded arithmetic formula, S21 can prove the sequence of statements: “A requires circuits of size greater than nk ”, for each fixed k > 0. A positive answer to this latter question would imply S21 could prove P 6= NP, and so, of course, P 6= NP would hold in the real world. Jeřábek’s result to some extent gives an upper bound on the theory required to prove a weak Kannan result, for once we know a hard string exists, if we can obtain a least such string, we can construct a fixed set which is hard for size-nk circuits. This kind of argument can be carried out in the theory S23 , where S2i is defined roughly as the theory with length induction for the ith level of polynomial hierarchy. This is because S23 can do the necessary minimization and Paris et al. (1988) have shown that S23 proves the weak pigeonhole principle for p-time functions (see (Krajı́ček 1995) for an exposition). It is interesting to ask whether one can make any progress on showing a matching lower bound on the theory required. The intent of this paper is to show that to some extent all of the questions posed above can be answered. For the remainder of this introduction, n = |x| for some x. Let sWPHP (Ψ) (resp. mWPHP (Ψ)) denote the surjective (resp. multifunction) weak pigeonhole principle for the relations in Ψ. We show that over S21 , sWPHP (Θb2 ) implies there is a string S of length 2nk that is not block-recognized by any circuit (code) of size nk . That is, there is no such circuit such that for b < 2nk−1 and s < 2n , C(b, s) outputs 1 if and only if s is the b-th length-n block of S. Here Θb2 (sometimes called Σb0 (Σb1 ) in the literature) is a class of formulas that precisely defines the sets in P NP (log), sets computable in polynomial time using at most logarithmically many oracle queries to an NP set. On the other hand, it is also shown that the existence of such a hard string for each k implies sWPHP (Σb1 ). Here the Σb1 -formulas correspond to the NP-sets. The reason for the slight gap is that specifying the uniqueness of the block that is recognized slightly bumps up the complexity of the pigeonhole principle needed to show the circuit result, but it is not clear how to harness this added complexity in the reverse direction. For this direction, we adapt the proof of Jeřábek’s result to amplify a surjection f : 2n → 22n to a surjection k from 2n onto 22n by a circuit that iterates f , but only “remembers” n bits of each computation. For the multifunction case, let ITER(PV , {||id||O(1) }) denote the class of relations which can be computed as poly-log length iterations of a polynomial relation. The precise statement of this requires that when x is in such a set that is defined using a p-time relation, R, the sequence of computation values R(x, y1 ), R(y1 , y2 ), . . ., R(yt−1 , yt ) where t is O(log |x|), is uniquely defined. Note that just because we can recognize that R(x, y1 ) holds in p-time does not imply that there is a p-time function which computes y1 from x, even if y1 is polynomially bounded. This iteration principle is similar to one considered by Krajı́ček in the context of the propositional proof complexity of the surjective pigeonhole principle (Krajı́ček 2004). ITER(PV , {||id||O(1) }) contains PV and like Θb2 is contained in the class Σb2 . We show that over R22 , mWPHP (ITER(PV , {||id||O(1) })) is equivalent to the k existence of a string S < 22n that is not iteratively block-recognized by any circuit of size nk . Hence, this principle over R22 also implies mWPHP (PV ). The last statement can be used to say something either about the likelihood of proving circuit lower bounds in weaker theories or about the security of RSA against various kind of attacks attacks. Krajı́ček and Pudlák (1998) (see also (Thapen 2002, Lemma 3.15)) have shown that if there is an algorithm witnessing the injective weak pigeonhole principle for p-time functions (this is contained in iWPHP (PV ) which allows p-time relations) from a class C satisfying PC = C, then RSA is vulnerable to attacks from C. Extending R2i by a quasi-polynomial growth rate function, #3 , gives the theories R3i . We apply Krajı́ček and Pudlák’s result to conclude that if R32 proves our circuit principle then RSA is vulnerable to quasi-polynomial time attacks. As R32 contains the theories R22 and S21 the same result holds for them if they can prove our circuit principle. One can somewhat strengthen the theory R32 and still obtain results which we believe are open. For example, if R33 proves our circuit principle, then RSA is vulnerable to attacks computed in the polynomial closure of quasi-polynomial local search. All of these result rely on the fact that mPHP (PV ) implies iPHP (PV ). It is unknown over S21 whether sPHP (PV ) implies iPHP (PV ), which is why an analogous result does not follow immediately from Jeřábek’s result. As far as the authors know, it is open whether RSA is vulnerable to quasi-polynomial local search attacks; the main problem with breaking RSA using such an algorithm would be to find a neighborhood function which could indicate when one was getting closer to the message text. We make the observation here though that Hanika (2004) extending work of Ferreira (1995) has defined a generalized search class GLS † which captures the Σb1 -definable multifunctions of S23 . Given that S23 proves mPHP (PV ), and so also iPHP (PV ), it follows from Krajı́ček and Pudlák that RSA is vulnerable to attacks from the polynomial closure of GLS † . It also probably follows that there is some generalization of our circuit iteration principle corresponding to these search classes for which S23 can prove lower bounds. Therefore, showing RSA is vulnerable to a quasi-polynomial local search based attack or showing lower bounds for our iteration principle in R33 might not be much beyond current technology. The format of the rest of this paper is as follows: In the next section the notations and theories to be discussed in the remainder of the paper will be introduced. In the third section, results concerning the weak pigeonhole principle are reviewed. The next two sections prove the results for the surjective and then the multifunction pigeonhole principle. Finally, the last section has the RSA results. 2 Preliminaries This paper assumes familiarity with Buss (1986) or Krajı́ček (1995). For completeness, the basic notations of bounded arithmetic are quickly reviewed. The specific bootstrapping we are following is from Pollett (1999), but yield equivalent theories to the ones in the books just mentioned. The language L2 contains the non-logical symbols: 0, S, +, ·, =, . ≤, −, b 21 xc, |x|, MSP(x, i) and #. The symbols 0, S(x) = x + 1, +, ·, and ≤ have the usual meaning. . The intended meaning of x − y is x minus y if this is greater than zero and zero otherwise, b 12 xc is x divided by 2 rounded down, and |x| is dlog2 (x + 1)e, that is, the length of x in binary notation. MSP(x, i) stands for ‘most significant part’ and is intended to mean bx/2i c. Finally, x#y reads ‘x smash y’ and is intended to mean 2|x||y| . Natural hierarchies of prenex formulas can be defined in this language by counting alternations of bounded quantifiers. A formula consisting of i + 1 alternations of bounded quantifiers, the outermost of the form ∃x ≤ t (∀x ≤ t, respectively), followed by a matrix of sharply-bounded formulas, is a Σbi -formula (Πbi -formula, respectively). Here sharply bounded means bounded by a term of the form |t|. The definition of Σbi presented above is sometimes called strictΣbi or Σˆbi in the literature. For the theories of this paper it is a provably equivalent class to what is usually considered elsewhere such as in Buss (1986). The theory BASIC is axiomatized by all substitution instances of a finite set of quantifier-free axioms for the non-logical symbols of L2 . The theories considered in this paper are obtained from BASIC by adding various forms of the induction scheme Θb2 is sometimes called in the literature Σb0 (Σb1 ) or Σb2 ∩ Πb2 . Its sets corresponds to the complexity class Θp2 := PNP (log) (Buss & Hay 1991). A(0) ∧ (∀x)(A(x) ⊃ A(Sx)) ⊃ (∀x)A(t(x)). ∃x ≤ tA(x) ∧ ∀x, x0 ≤ t((A(x) ∧ A(x0 )) ⊃ x = x0 ). C-IND, -LIND (length induction), and -LLIND (length-length induction) are obtained by taking A ∈ C and t(x) to be x, |x|, and ||x||, respectively. . The term Bit(i, w) := MSP(w, i) − 2 · bMSP(w, i)/2c is the i-th bit of w. The axiom scheme of Comprehension for A ∈ C (C-COMP ) is We assume that the reader is familiar with the usual definition of a circuit. The predicate Circuit(C, n) is true if C codes a circuit on n variables and Output(C, i) is the PV -function computing the output of C on input i, where i represents a number in binary (assume some default value if ∀n¬Circuit(C, n) or Circuit(C, n) but i ≥ 2n ). These are straightforward to formulate in S21 using the sequence coding available there and have appeared before in the literature (Buss 1997). (∃w ≤ 2|a| )(∀i ≤ |a|)(A(i, a) ⇔ Bit(i, w) = 1). Sequences can be defined as ordered pairs in which the first component specifies a block size and the second a concatenation of blocks. Then SqBd (a, b) := 2(2a#2b) is a bound on the value of any sequence of length |b| + 1, each of whose components is < a, and β(b, w) is defined to be the b-th element of the sequence w. β(b, w) can be defined as a term in our language, and the basic properties of SqBd and β(b, w) can be proved using open length induction. With these terms in hand, we can state the axiom scheme of Replacement for A ∈ C (C-REPL): Definition 2 By ∃!x ≤ tA(x) we mean the usual abbreviation 3 Pigeonhole principles In this paper, the following variants of the weak pigeonhole principle will be considered: iPHP (R)m z ): n (~ n < m ∧ ∀x < n∃!y < nR(x, y, ~z) ⊃ ∃x1 , x2 < m∃y < n x1 6= x2 ∧ R(x1 , y, ~z) ∧ R(x2 , y, ~z) ∀x ≤ |a| ∃y ≤ bA(x, y) ⊃ ∃w ≤ SqBd (b + 1, a)∀i ≤ |a| β(i, w) ≤ b ∧ A(x, β(i, w)) . The theories R2i , S2i and T2i are obtained from BASIC by adding respectively the Σbi -REPL+Σbi LLIND, Σbi -LIND, or Σbi -IND axiom schema. The definition of R2i has Σbi -REPL added because we are working with prenex versions of Σbi (Pollett 1999). It is known that S2i+1 ⊇ T2i ⊇ S2i ⊇ R2i ⊇ S2i−1 , if R2i+1 ⊇ T2i then the polynomial hierarchy collapses (Krajı́ček, Pudlák & Takeuti 1991, Pollett 1999), and that R2i (hence S2i ) proves Σbi -COMP . Buss (1986, §3) shows that if one adds new function symbols to S21 for each polynomial-time function, together with axioms saying how the functions are recursively defined, one obtains a theory called S21 (PV ) which is conservative over S21 . For convenience, in this paper it will be assumed that these functions symbols are available in the language. We will use the notation FP to denote the defining equational axioms for these function symbols, and PV to denote the relations definable as open formulas involving these functions symbols. Among such functions, we will use the following “bit-extraction” functions frequently: 1. LSP(w, i) is the |w| − i least significant bits of w, and w[a..b] = LSP(MSP(w, a), |w| − b) consists of bits a through b inclusive of w. 2. β̂(b, n, w) = w[bn..(b + 1)n − 1] is the b-th length n block of bits of w. Beyond the standard bounded arithmetic formula classes, we next define a class which has appeared in the literature under several different names: Definition 1 The class Θb2 is the closure of Σb1 under Boolean connectives and sharply-bounded quantification. z ): mPHP (R)m n (~ n < m ∧ ∀x < m∃y < nR(x, y, ~z) ⊃ ∃x1 , x2 < m∃y < n x1 6= x2 ∧ R(x1 , y, ~z) ∧ R(x2 , y, ~z) sPHP (R)m z ): n (~ n < m ∧ ∀x < n∃!y < mR(x, y, ~z) ⊃ ∃y < m∀x < n¬R(x, y, ~z) where R is some predicate. While these principles are often called the functional, onto, and basic principles respectively, we will refer to them as the injective, multifunction, and surjective principles, as we feel these names better capture the nature of the mapping at hand. For any of these variants, the notation PHP (R)m n will be used when there are no parameter variables or when the parameter variables are clear. The notation PHP (C)m n will be used for the class of formulas PHP (R)m n where R ∈ C. The no2 tation WPHP (C) will be used for PHP (C)nn . When m we refer to the scheme vWPHP (R)n for v = s, i, or m, we mean all instances of the corresponding sentence in which terms are substituted for m and n. When C = FP , we understand the parameter list to have length 0, R to be a function symbol f ∈ FP , and R(x, y) to be f (x) = y. We now make a few observations about the relations between the various principles. Proposition 1 BASIC proves the following equivalences: 0 m (a) mPHP (R)m n is equivalent to mPHP (R)n where 0 m mPHP (R)n is ∀x1 , x2 < m∀y < n(R(x1 , y) ∧ R(x2 , y) ⊃ x1 = x2 ) ⊃ ¬(n < m) ∨ ∃x < m∀y < n¬R(x, y) . (b) sPHP (R)m n is equivalent to ∀y < n∃x < mR(x, y) ⊃ mPHP 0 (R)m n. (c) iPHP (R)m n is equivalent to ∀x < m∀y1 < n∀y2 < n R(x, y1 ) ∧ R(x, y2 ) ⊃ y1 = y2 ⊃ mPHP (R)m n. Proof. This argument will also hold if we had written parameter variables. The statement (a) follows because mPHP 0 (R)m n is just the contrapositive of mPHP (R)m n . (b) follows because the condition ∀y < n∃x < mR(x, y) says R is a total multifunction from y < n to x < m and the premise of mPHP 0 (R)m n guarantees this multifunction is a function. Finally, (c) follows since the condition ∀x < m∀y1 < n∀y2 < n(R(x, y1 ) ∧ R(x, y2 ) ⊃ y1 = y2 ) says R is a partial function from x < m to y < n and the premise of mPHP (R)m n guarantees this function is total. Corollary 2 BASIC proves mPHP (R)m implies n m both sPHP (R)m n and iPHP (R)n . Proposition 3 For each pigeonhole variant v = m, s, i, the theories T21 (R) and S22 (R) prove that 2 vPHP nn (R) ⊃ vPHP 2n n (R), Proof. (Sketch) The T21 (R) results follows from 2 the S2 (R) results since the formulas in question are boolean combinations of Σb2 -formulas and S22 (R) is conservative over T21 (R) for such formulas. The basic idea of the proof for S22 (R) is to show ¬vPHP n2n (R) ⊃ 2 ¬vPHP nn (R). To do this in each case one iterates |n| times the 2n into n function or multifunction (or n 2 onto 2n function) violating vPHP nn (R). It is unknown whether mPHP (Σb1 )m n is equiv1 over S for v = s or alent to vPHP (Σb1 )m n 2 i. Paris et al. (1988) showed that S2 ` mWPHP (∆0 ), where ∆0 is the class of bounded formulas. Krajı́ček (1995) has sharpened this to: Lemma 4 T22 (R) ` mWPHP (R). Hence, T22 ` mWPHP (PV ) and in particular T22 ` sWPHP (PV ). 4 Surjective pigeonhole principle and blockrecognition Jeřábek (2004) shows in that over S21 , the surjective weak pigeonhole principle is equivalent to the claim that there is a string hard string of length 2nk for circuits of size nk . The following can be shown to be equivalent to Jeřábek’s result; the main difference is the notation, which here corresponds to the notation we will use for our later results: Theorem 5 (Jeřábek 2004, Lemma 3.2, Proposition 3.5) Let n = |z|. Over S21 , the scheme 2 sWPHP (FP )nn is equivalent to the scheme k k ∃S < 22n ∀C < 2n ∃i < 2nk Circuit(C, 2nk ) ⊃ Output(C, i) 6= Bit(i, S) for k = 0, 1, . . .. We begin by giving modified versions of Jeřábek’s results for relational versions of the surjective weak pigeonhole principle. To simplify the notation a bit in this section, we often abuse notation and write C(i) to denote Output(C, i). Definition 3 Let C be a circuit on |dm/ne|+n input variables. We say that C n-block-recognizes S < 2m for all i < dm/ne and s < 2n , C(i, s) is true iff s = β̂(i, n, S). The predicate Fits(C, S, m, n) says that C(·, ·) has the right shape for n-block-recognizing S < 2m : Circuit(C, |dm/ne| + n) ∧ S < 2m . Let BlockRec(C, S, m, n) be the formula that says C n-block-recognizes S < 2m : Fits(C, S, m, n) ∧ ∀i < dm/ne ∃!s < 2n C(i, s) ∧ C(i, β̂(i, n, S)) . Proposition 6 Let n = |z|. For each k > k 0, S21 + sWPHP (Θb2 ) proves ∃S < 22n ∀C < k 2n ¬BlockRec(C, S, 2nk , n). Proof. Reason in S21 . Existence of S in h k k ∀C < 2n ∃!S < 22n Fits(C, S, 2nk , n) ∧ ∀i < 2nk−1 (∃!s < 2n C(i, s) ∧ C(i, β̂(i, n, S))) ∨ (¬Fits(C, S, 2nk , n) ∨ i ∃i < 2nk−1 ¬∃!s < 2n C(i, s) ∧ S = 0 k is provable using PV -REPL as follows: Fix C < 2n . If C is not of the correct shape, then S will be 0 and the result holds. So assume Circuit(C, 2nk−1 + n) and ∀i < 2nk−1 ∃!s < 2n C(i, s). Using Σb1 -COMP , one can show one can define any block of S bit-by-bit. Then using Σb1 -REPL one can define all the blocks in a single string. Uniqueness of S follows by proving length induction first on the bits in two strings in a block and then by length induction on the blocks. Since the predicate in brackets is Θb2 , one can apply k sWPHP (Θb2 ) to conclude that there is some S < 22n k such that for all C < 2n the predicate in brackets fails. Then in particular, the first disjunct must fail, which completes the proof of the Theorem. As a corollary to the proof, we have the following result: Proposition 7 Let n = |z|. For each k > k 0, S21 + sWPHP (FP ) proves ∃S < 22n ∀C < k 2n ¬BlockRec(C, S, 2nk , |n|). Proof. The same argument applies, but now we note that the condition on C is PV because the quantifiers in the uniqueness criterion are sharply bounded, so sWPHP (PV ) applies. But then this condition defines a PV -function, so only the functional version of sWPHP is needed. Theorem 8 Let T be the theory obtained from S21 by adding the axiom k k ∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , n) for each n = |z| and k > 0. sWPHP (Σb1 ). Then T proves 0 3. The size of Gi is O(in` +1 ). Proof. It suffices to argue in S21 that if there is b a Σ1 -relation R(x, y) that is the graph of a surjection f from 2n onto 22n (where without loss of genk erality n = |z| for some z), then ∀S < 22n ∃C < k 2n BlockRec(C, S, 2nk , n). Note that assuming the existence of such a relation R does not allow us to assume there is a function symbol in PV for f , since we do not have that S21 proves that R is the graph of a ` function. Say that R has the form ∃z < 2n R0 (x, y, z) where R0 is PV and let C0 be a circuit on variables x0 , . . . , xn−1 , y0 , . . . , y2n−1 , z0 , . . . , zq (q = n` ) that outputs 1 exactly when R0 (x, y, z) holds (here, Bit(i, x) = xi , etc.). Furthermore, let `0 be such that 0 C0 has size O(n` ). We will use C0 to construct circuits Gi (u, x, y, w) where u < 2i , x, y < 2n , and w is a sequence of length i, each of whose elements has size bounded by 2n + q. Gi is intended to represent a i surjection from 2n onto 22 n by repeatedly applying f to x and taking the left- or right-half of the result according to the bits of u. Our final circuit C will be obtained by fixing i and “hard-coding” w. Specifically, the predicate computed by Gi is defined as follows: k Now suppose that S < 22n and let r = 2nk−1 = (k − 1) |n| + 1, so that 2r n = 2nk . Then as we just showed, there are (provably in S21 ) e and w such that Gr (·, e, ·, w) n-block-recognizes S. Let Cr (i, s) = Gr (i, e, s, w). The size of Cr is ≤ c((k − 1) |n| + 0 0 1)n` +1 ≤ c0 kn` +2 for some c and c0 . Furthermore, any circuit of size m can be given a code of size ≤ 2m(|m|+1). Thus, if we take k large enough so thatk `0 +2 k 0 `0 +2 0 n ≥ 2c kn (c kn +1), then C(k−1)|n|+1 < 2n is a circuit that n-block recognizes S. Since S was chosen arbitrarily, this completes the proof. Combining Proposition 6 with Theorems 5 and 8, we have the following inclusions of theories, where the block-recognition axiom schemes range over all n = |z| and k > 0: S21 + sWPHP (Θb2 ) ⊇ k S21 + sWPHP (Σb1 ) ⊇ S21 + sWPHP (PV ) ⊇ S21 + sWPHP (F P ) ≡ G0 (u, x, y, w) :=(u = 0) ∧ (x = y) k k k k S21 + ∃S < 22n ∀C < 2n ¬Compute(C, S, 2nk ) ⊇ Gi+1 (u, x, y, w) :=u < 2i+1 ∧ Gi (DMSB(u), cond(MSB(u), w[n..2n − 1], w[0..n − 1]), y, MSP(w, 2n + q)) ∧ C0 (x, w[0..2n − 1], w[2n..2n + q − 1]). S21 + ∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , 1) where Compute(C, S, m) holds if C is a circuit on |m| variables, |S| = m, and for all i < m, Output(C, i) = Bit(i, S). The last inclusion follows directly from the fact that a 1-block recognizer for S can be converted into a circuit that computes S by fixing the value of the “guess” for the length-1 block to 1. Equivalence between computing S and 1-block recognizing S is slightly more complex, as converting a circuit that computes S into one that 1-block recognizes S in the obvious way increases the circuit (code) size by O(|n|). To state an equivalence, we would thus change the circuit code size in the Compute theory to be nk + O(|n|). Taking the contrapositive, we have the following curious corollary: where DMSB(u) = LSP(a, |a| − 1) is a with its most significant bit deleted, MSB(a) = MSP(a, 1) is the most significant bit of a, and cond(b, c, d) is either c or d as per whether b = 0 or b = 1. Formally, we are defining a function Ḡ(i), where Ḡ(i) is the code of the circuit computing the predicate Gi ; Ḡ(i + 1) is defined recursively from the code returned by Ḡ(i). Thus, when we write Gi (u, x, y, w), we really mean Output(Ḡ(i), u, x, y, w). Following Jeřábek, if r = ||z|| for some z and i < r, then Gi (u, x, y, z) is Σb1 -definable and we can prove Corollary 9 k k S21 + ∀S < 22n ∃C < 2n BlockRec(C, S, 2nk , 1) ⊇ r 1. For any S < 22 n , ∃e < SqBd (n, 22 k S21 + ∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , n) ⊇ k k S21 + ∀S < 22n ∃C < 2n BlockRec(C, S, 2nk , n). r−i )∃w < SqBd (i(2n+q), 22 r−i ) ∀u < 2i ∀v < 2r−i Gi (u, (e)v , β̂(2i v+u, n, S), (w)v ), (Σb1 -LIND on i ≤ r). Since r = ||z|| and i ≤ r, this predicate is in fact Σb1 . In particular, taking i = r we have that ∃e < 2n ∃w < 2r(2n+q) ∀u < 2r Gr (u, e, β̂(u, n, S), w). where the block-recognition axiom schemes range over all n = |z| and k > 0. Note that the “obvious” approach to proving this fails. One can construct an n-block-recognizer by combining many copies of a 1-block-recognizer, each of size nk ; however, the resulting circuit (code) will possibly have size greater than nk . We conclude this section with a variant of sWPHP . Let sWPHP (D, R)m n be the following principle: (n < m ∧ ∀x < n(D(x) ⊃ ∃!y < mR(x, y))) ⊃ ∃y < m∀x < n(D(x) ⊃ ¬R(x, y)). 2. ∀i∀u < 2i+1 ∀e < 2n ∀y, y 0 < 22n ∀w, w0 < 2i(2n+q) [ (Gi (u, e, y, w) ∧ Gi (u, e, y 0 , w0 )) ⊃ y = y 0 ]. (Πb1 -LIND on i). In other words, R cannot be the graph of a surjective function from D (a subset of {0, . . . , n}) onto {0, . . . , m}. sWPHP (D, C) is the set of prin2 ciples sWPHP (D, R)nn for D ∈ D and R ∈ C. This bears some similarity to Thapen’s alternative version of a multifunction pigeonhole principle which states that a function cannot be a surjection from a subset of n onto m (Thapen 2002, Definition 3.1(4)). There, however, the complexity of the domain is left unspecified, and it is not certain what the exact relationship between the two principles is. The proof of the following is similar to that of Proposition 6: Proposition 10 Let n = |z|. For each k > 0, S21 + sWPHP (Θb2 , PV ) proves k m ∀j ≤ |h(~z)| Iter (R, B, E, j, ~z, s, ||t|| ) ⇔ m Iter (R∗ , B ∗ , E ∗ , ~z, s(|h| + 1), ||t|| ). O(1) In other words, ITER(PV , {||id|| }) is closed under sharply bounded universal quantification. k ∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , n). 5 R∗ (i, u, v, ~z) ∈ PV and terms B ∗ (~z) and E ∗ (~z) such that R22 proves mWPHP and Iteration The next definition will be used to state circuit principles connected with mWPHP . Definition 4 Given a class C of formulas and a set τ of terms, ITER(C, τ ) consists of formulas of the form Iter (R, B, E, z1 , . . . , zn , s, t) := ∃w ≤ SqBd (s, 2min(t+1,|r|) )Comp(R, B, E, w, ~z, s, t) where R(i, u, v, ~z) ∈ C, r, B(~z) and E(~z) are terms, and Comp(R, B, E, w, ~z, s, t) is Seq(w) ∧ Len(w) = t + 2 ∧ ∀i ≤ t β(i, w) ≤ s ∧ R(i, β(i, w), β(i + 1, w), ~z) ∧ ∀v ≤ s(R(i, β(i, w), v, ~z) ⊃ v = β(i + 1, w)) ∧ β(0, w) = B(~z) ∧ β(t + 1, w) = E(~z). It is permissible that R not depend on all of the variables ~z; when this is a case for a specific R (such as Out, in Definition 5), we will omit mention of the unused variables. Formally we should declare the parameters upon which R depends and rewrite Comp to list only those parameters, but we will instead informally refer to R “depending” on zi or not (and similarly for B and E). The predicate Iter is related to a predicate in Krajı́ček (2004) which was studied in the context of propositional proof complexity. Where it is clear that a suitable r can be found so that t + 1 < |r| then, we will sometimes just write 2t+1 for 2min(t+1,|r|) . The latter form is introduced only because the exponential function is not necessarily total in bounded arithmetic theories. The intuition behind Iter(R, B, E, ~z, s, t) is that it verifies that there is a (t + 1)-stepped computation from initial value B(~z) to final value E(~z) each step of which follows uniquely from the previous according to R. The values at each step are bounded by s. It should be observed that if s is of polynomial length then the ability to verify in p-time that a string for the (i+1)-st step follows from a string for ith step does not entail that there is a p-time function computing the (i + 1)-st step from the i-th step. Write {||id||O(1) } for the set of terms of the form ||t||m for some term t and some fixed number m in the language. The following lemmas establish the basic properties of ITER(C, τ ). Lemma 11 1. The theory S21 proves that ITER(PV , {||id||O(1) }) contains the PV predicates. 2. For R(i, u, v, j, ~z) ∈ PV , any terms B(j, ~z) and E(j, ~z), and any term h(~z), there is Proof. (1) Suppose R(~z) is a PV predicate. Consider the predicate R∗ (i, a, b, ~z) defined as (i = i ∧ a = 0 ∧ b = 0 ∧ R(~z)). Then Iter (R∗ , 0, 0, ~z, 1, ||t||m ) will compute the same predicate as R(~z) (regardless of t). (2) The left-hand-side says that for each j ≤ |h|, R m “maps” B(j, ~z) to E(j, ~z) in ||t|| steps. R∗ will map the sequence hB(0, ~z), . . . , B(|h| , ~z)i to the sequence hE(0, ~z), . . . , E(|h| , ~z)i in the same number of steps. By Σb2 -REP L the left-hand-side is equivalent to ∃w ≤ SqBd (SqBd (s, 2||t|| m +1 ), 2|h|+1 )∀j ≤ |h| m Comp(R, B, E, β(j, w), j, ~z, s, ||t|| ). Let R∗ (i, u, v, ~z) be the predicate u ≤ SqBd (s, 2|h| ) ∧ v ≤ SqBd (s, 2|h| ) ∧ Seq(u) ∧ Seq(v) ∧ ∀j ≤ |h| (R(i, β(j, u), β(u, v), j, ~z). Let B ∗ = hB(0, ~z), . . . , B(|h| , ~z)i and E ∗ = hE(0, ~z), . . . , E(|h| , ~z)i. Then the sequence W defined by β(i, W ) = hβ(0, β(i, w)), . . . , β(|h| , β(i, w))i is a witness to the right-hand-side; since W is computable in polynomial-time from w, it is definable in R22 ⊇ S21 . Lemma 12 R22 proves U niq(||t||m ) for fixed m where U niq(a) is the formula Comp(R, B, E1 , w1 , ~z, s, a) ∧ Comp(R, B, E2 , w2 , z~0 , s, a) ⊃ w1 = w2 ∧ E1 = E2 where zi0 = zi if R or B depends on zi . Proof. First, note that Comp is equivalent to a Πb1 formula so U niq(|x|) will be equivalent to a Σb1 formula. Also, given the definition of Comp uniqueness of w in Comp(R, B, E, w, ~z, s, a) guarantees uniqueness of E. Let Comp 0 (R, B, w, ~z, s, a) be the same predicate as Comp except where the last conjunct checking that the final value of the sequence is E has been discarded. Let U niq 0 (a) be ∀w1 , w2 ≤ SqBd(s, 2a ) Comp 0 (R, B, w1 , ~z, s, a) ∧ Comp 0 (R, B, w2 , ~z, s, a) ⊃ w1 = w2 . Given our discussion this will be a Πb2 -formula and U niq 0 (a) ⊃ U niq(a), so it suffices to prove U niq 0 (|x|) to complete the proof. The theory S21 proves U niq 0 (0) since any sequence satisfying the Comp 0 expression will in this case consist of only two elements, the first elements must be x and the third conjunct in the definition of Comp 0 forces the uniqueness of the second block. This third conjunct in the definition of Comp 0 can also be used to show U niq 0 (a) ⊃ U niq 0 (Sa); the relevant fact is that k are S1 6= S2 < 22n , C < 2n 1. Let Out(i, u, v, b, C) be the predicate that is true when C is a circuit on |i| + |u| + |v| + |b| variables and C(i, u, v, b) is true. 2. Let IterBlockRec(C, S, c, x, t) be ∀b < nk−1 , c < 22n such that j +1 ) CompOutput(w, S, C, c, b, x, ||t||j ) Comp 0 (R, B, F RON T (w), ~z, s, a). Definition 5 −2n ∀b < nk−1 ∃w ≤ SqBd(22n , 2||t|| Comp 0 (R, B, w, ~z, s, Sa) ⊃ Here F RON T (w) is the p-time function that returns all but the last element of w. The point is U niq 0 (a) guarantees the uniqueness of F RON T (w) since it has size less than SqBd(s, 2a ), and the third conjunct will guarantee the uniqueness of the element that is added to F RON T (w) to obtain w. Hence, w will also be unique. Thus using Πb2 -LLIND and standard speedup of induction techniques (Pollett 1999), the theory R22 proves U niq 0 (||x||m ) and hence U niq(||x||m ). k for i = 1, 2. Fix any b < nk−1 . By Lemma 12, there is a unique pair (w, v) such that j Comp(Out, c, v, w, b, C, c, Si , 2|c| , ||t|| ) for i = 1, 2 (note that Out does not depend on S), and so we conclude that for each b < nk−1 we have β̂(b, 2n, S1 ) = β̂(b, 2n, S2 ). In other words, the b-th blocks of S1 and S2 are equal. Since b was chosen arbitrarily, all blocks of S1 and S2 are the same. By induction on the number of blocks, one shows that this implies that S1 = S2 , a contradiction. Theorem 14 Let n = |x|. Let T be the theory R22 extended by the axioms k ∃S < 22n ∀C < 2n k −2n ∀c < 22n ¬IterBlockRec(S, C, c, x, ||t||j ) Iter (Out, c, β̂(b, 2 |x| , S), b, C, c, S, 2|c| , t) . By Lemma 11, this is an iteration predicate. Note that Out depends only on the parameters b and C. 3. Let CompOutput(w, C, S, c, b, x, t) be Comp(Out, c, β̂(b, 2 |x| , S), w, b, C, c, S, 2|c| , t) for each k > 1, ||t||j in {||id||O(1) }. Then (a) T proves mWPHP (PV ) and (b) T proves mWPHP (ITER(PV , {||id||O(1) })). Proof. (a) Assume that R(x, y) is a PV -formula that is the graph of an injective multifunction from 22n into 2n . Define AM P 0 (S, c, j, x, w) to be the conjunction of the following statements: 1. S < 22 j+1 n ; 2. w is a sequence of length j + 1; so that IterBlockRec(C, S, c, x, t) is 3. For 0 ≤ i ≤ j, β(i, w) is a sequence of length 2i ; ∀b < nk−1 ∃w ≤ SqBd(2|c| , 2t+1 ) CompOutput(w, C, S, c, b, x, t) . Theorem 13 Let n = |x|. For k > 1, ||t||j in {||id||O(1) }, the theory R22 +mWPHP (ITER(PV , {||id||O(1) })) proves the principle k ∃S < 22n ∀C < 2n k −2n ∀c < 22n ¬IterBlockRec(C, S, c, x, ||t|| ). The use of two separate variables C and c is a notational convenience: we could replace them by a single k variable C 0 of size 2n and use MSP and LSP to obtain values for these two variables. Proof. Reason in R22 , and suppose that k k −2n ∃c < 22n 5. For 0 ≤ i < j and 0 ≤ ` < 2i , R(β(2`, β(i + 1, w)), MSP(β(`, β(i, w)), n)); 6. For 0 ≤ i < j and 0 ≤ ` < 2i , R(β(2` + 1, β(i + 1, w)), LSP(β(`, β(i, w)), n)); 7. β(0, β(0, w)) = c; j ∀S < 22n ∃C < 2n 4. For 0 ≤ i ≤ j and 0 ≤ ` < 2i , |β(`, β(i, w))| ≤ 2n; h ∀b < nk−1 ∃w ≤ SqBd(22n , 2||t|| j +1 ) i CompOutput(w, C, S, c, b, x, ||t||j ) . Using Lemma 11, the expression in square brackets is equivalent in R22 to an ITER(PV , {||id||O(1) }) predicate. So by mWPHP (ITER(PV , {||id||O(1) })) there 8. For 0 ≤ ` < 2j , β(`, β(j, w)) = β̂(`, 2n, S). In other words, w is a “triangle” that consists of j + 1 rows, where the i-th row has 2i blocks, and each block is of length at most 2n; the 0-th row is c and the (j + 1)-st row is S. The i-th row is formed by using R to “compress” the blocks of the (i + 1)st row. Let AM P (S, c, j, x) be the predicate ∃w ≤ j SqBd(SqBd(22n , 22 −1 ), 2j )AM P 0 (S, c, j, x, w). As usual exponentials are ‘cut-off’, in this case by a term of the form ||r|| for some r, so AM P is (equivalent to) a Σb1 formula over BASIC . By Πb2 -LLIND on j, one can show that ∀S < j+1 22 n ∃c < 22n AM P (S, c, j, x) and hence conclude k|n|+1 n ∀S < 22 ∃c < 22n AM P (S, c, k |n| , x). For the j+2 induction step, given S < 22 n , use R to compress j+1 adjacent length-n blocks in pairs to get S 0 < 22 n and then apply the induction hypothesis to get c such that AM P (S 0 , c, j, x). To show AM P (S, c, j, x), take the sequence (triangle) w0 given by AM P (S 0 , c, j, x) and add a new row consisting of the length-2n blocks of S. k Now fix S < 22n and take c such that AM P (S, c, k |n| , x). Let C(i, u, v, b) be the circuit that computes the predicate R v, cond Bit((k − 1) |n| − i, b), MSP(u, n), LSP(u, n) ∧ (i = 0 ⊃ u = c). Take any b < nk−1 (the number of length-2n blocks in S). Let w be the sequence (triangle) given by AM P (S, c, k |n| , x) and define a new sequence v by β(i, v)) = β(MSP(b, i), β(i, w)). In other words, v consists of the blocks in w starting at c and traversing the triangle to end at the b-th block of S in the last row. Then v is a sequence of k |n| starting at c, ending at β̂(b, 2n, S) and for which C(i, β(i, v), β(i+1, v)) for each i; this follows from AM P (S, c, k |n| , x). Uniqueness of each step follows from the fact that R is injective. As in the proof of Theorem 8, take k large k enough so that we can assume C < 2n −2n ; then by chasing definitions, we see that we have proved k k ∀S < 22n ∃C < 2n −2n ∃c < 22n IterBlockRec(C, S, c, x, k ||x||), completing the proof of (a). We now describe how to modify the proof of (a) to obtain a proof of (b). Let Q := Iter (R, B, E, x, y, ~z, s, ||t||m ) be a predicate such that ¬mWPHP (Q). We are assuming that the injection from 22n to 2n is on the variables x and y which are among the parameter variables of R, B, and E. We use the R in this Q to create a modified version of AM P , essentially where we have inserted between each step in the old AMP the iterations need to compute Q . Let clen := ||t||m + 3. The new version of AM P 0 asserts: 1. S < 22 j+1 n ; 2. w is a sequence of length j · clen + 1; 3. For 0 ≤ i ≤ j, let i0 := i · clen; then β(i0 , w) is a sequence of length 2i and for 0 ≤ ` < 2i , |β(`, β(i0 , w))| ≤ 2n. 4. For 0 ≤ i ≤ j, and i · clen < i0 < (i + 1) · clen, β(i0 , w) is a sequence of length 2i+1 , and for 0 ≤ ` < 2i+1 , |β(`, β(i0 , w))| ≤ s, and R(i0 , β(`, β(i0 + 1, w)), β(`, β(i0 , w))); 5. For 0 < i < j and 0 ≤ ` < 2i , let xi,2` := β(2`, β((i + 1) · clen, w)), Lyi,` := MSP(β(`, β(i · clen, w)), n), bi,2` := β(2`, β((i+1)·clen−1, w)), and ei,2` := β(2`, β(i · clen + 1, w)). Then bi,2` = Lyi,` ∗ B(xi,2` , Lyi,` , ~z) and ei,2` = Lyi,` ∗ E(xi,2` , Lyi,` , ~z). Here, ∗ denotes concatenation; we need this extra data when we construct the circuit that iteratively block-recognizes S. 6. For 0 ≤ i < j and 0 ≤ ` < 2i , let xi,2`+1 := β(2` + 1, β((i + 1) · clen, w)), Ryi,` := LSP(β(`, β(i · clen, w)), n), bi,2`+1 := β(2` + 1, β((i + 1) · clen − 1, w)), and ei,2`+1 := β(2` + 1, β(i · clen + 1, w)). Then bi,2`+1 = Ryi,` ∗ B(xi,2`+1 , Ryi,` , ~z) and ei,2`+1 = Ryi,` ∗ E(xi,2`+1 , Ryi,` , ~z); 7. β(0, β(0, w)) = c; 8. For 0 ≤ ` < 2j , β(`, β(j · clen, w)) = β̂(`, 2n, S). So this formula asserts that w is a “triangle of grids” that consists of mj + 1 grids. The i-th grid has 2i columns and ||t|| + 3 rows. The last row of each grid corresponds to to a row of the triangle from the PV case. The immediately prior row consists of blocks of the form B(x, y), where x < 22n is the value in same column and next row and y < 2n is the value x is mapped to by Q. Then within a column, one traverses row-by-row by applying R. The new formula AM P is defined from this AM P 0 as before with a larger (but still polynomial bound) for w. Given that the universals above will be sharply bounded in R22 , this AM P is still equivalent to a Σb1 -formula. So one can prove j+1 ∀S < 22 n ∃c < 2n AM P (S, c, j, ·||t||m , x) by induck tion on j in R22 and hence conclude ∀S < 2n ∃c < m 2n AM P (S, c, k ||x|| · ||t|| , x). The induction step is handled by using the fact that since ¬mWPHP (Q), there is some unique sequence that makes Q an an j+2 injective map from 22n into 2n . So given S < 22 n , apply Q to the length-2n blocks of S to obtain lengthj+1 n blocks, and concatenate these to get S 0 < 22 n . Apply the induction hypothesis to find c such that m AM P (S 0 , c, j ||t|| , x). Let w0 be the sequence such m that AM P 0 (S 0 , c, j ||t|| , x, w0 ) and now append the clen-row by 2j+1 -column “grid” that has the length2n blocks of S as the last row, and the the computation sequence of R in each column. k Now given S < 22n we need a circuit C(i, u, v, b) that recognizes a path through this “triangle of grids” that starts at c and ends at β̂(b, 2n, S). When i = i0 · clen, we are transitioning from the last row of a grid (corresponding to the rows of the triangle from the PV case); the circuit verifies that LSP(v, n) = B(u, MSP(v, |v| − n)). This is why we need to keep extra copies of the Ly’s and Ry’s in all the cells of the grid; without them, we could not perform this verification “locally.” When i = i0 · clen + 1, we are transitioning from one grid to the next. The circuit just verifies that left- or right-half of v is MSP(u, n) according to the ((k − 1) |n| − i0 )-th bit of b. Finally, if i = i0 · clen + i00 with i00 > 1, we are transitioning according to R, so the circuit verifies that R(i00 , LSP(v, n), LSP(u, n)). It would be interesting to know if mWPHP (PV ) implies mWPHP (ITER(P V, {||id||O(1) })) over some non-trivial theory. To show this would seem to involve showing that from an iterated relation PV defining a injective multifunction from n2 to n, one could somehow do away with the iteration and find a PV relation defining a injective multifunction from n2 to n relation. It is not clear how this could be done. 6 Iteration and RSA In this section, the provability of k ∃S < 22n ∀C < 2n k −2n ∀c < 22n ¬IterBlockRec(C, S, c, x, k) in R32 and R33 is connected to the security of RSA. To state our results, we define the class qP LS and recall the definition of RSA. The class PLS for polynomial search was defined by Johnson, Papadimitriou, and Yannakakis (1988) and was shown to contain several interesting optimization problems. Buss and Krajı́ček (1994) showed that the Σb1 provably total multifunctions of T21 can be characterized as the composition of a projection function with a PLS multifunction. By a quasi-polynomial, k we mean a function of the form 2(log n) for some k. A natural generalization of PLS to quasi-polynomial time can be defined as follows: Definition 6 A qPLS problem consists of a quasipolynomial time cost function c, a quasi-polynomial time neighborhood function N , and a quasipolynomially bounded set of quasi-polynomial time solutions, defined by a predicate F . For an input x, the set {s : F (x, s)} is the set of feasible solutions, the mapping s 7→ c(x, s) assigns a cost to each solution, and the mapping s 7→ N (x, s) maps solutions to solutions. The multifunction f defined by the qPLS problem is given by the relation f (x) = y iff F (x, y) and c(x, N (x, y)) < c(x, y). Define x#3 y as 2|x|#|y| . Let R3i , S3i , and T3i be the theories obtained from R2i ,S2i , and T2i by adding this symbol and its defining axiom. A straightforward generalization of Buss & Krajı́ček (1994) shows that the Σb1 provably total multifunctions of T31 can be characterized as the composition of a projection function with a qPLS multifunction (see Pollett (1997) for results of this type). A straightforward generalization of Buss (1986) shows that the Σb1 -definable functions of S31 are the quasi-polynomial time functions. Recall what an instance of RSA is: the following: (a) for R32 , there is a quasi-polynomial time function g which when given inputs c, a such that ∀x < a2 f (x, c) < a outputs x1 < x2 < a2 such that f (x1 , c) = f (x2 , c). (b) for R33 , g can be computed as a a projection of a qPLS problem. By Krajı́ček and Pudlák (1998) there is polynomial time algorithm using g as an oracle which solves RSA. References Ajtai, M. (1994), ‘The complexity of the pigeonhole principle’, Combinatorica 14(4), 417–433. Beame, P., Impagliazzo, R., Krajı́ček, J., Pitassi, T., Pudlák, P. & Woods, A. (1992), Exponential lower bounds for the pigeonhole principle, in ‘Proceedings of the 24th Annual ACM Syposium on the Theory of Computing (Victoria, 1992)’, ACM Press, New York, pp. 200–221. Buss, S. R. (1986), Bounded Arithmetic, Bibliopolis, Naples. Buss, S. R. (1990), Axiomatizations and conservation results for fragments of bounded arithmetic, in ‘Logic and Computation (Pittsburgh, PA, 1987)’, Vol. 106 of Contemp. Math., Amer. Math. Soc., Providence, RI, pp. 57–84. Buss, S. R. (1997), ‘Bounded arithmetic, complexity, and cryptography’, Theoria 63, 147–167. Definition 7 An instance of RSA consists of a modulus n = pq for two large primes p and q, exponents e and d which are mutual inverse modulo (p − 1)(q − 1), a message m < n, and a ciphertext c < n such that c ≡ me mod n and m ≡ cd mod n. The RSA instance is solved (hence, vulnerable) if given n, e, and c, one can compute m. Buss, S. R. & Hay, L. (1991), ‘On truth-table reducibility to SAT’, Inform. and Comput. 91(1), 86–102. We are now ready to present the main result of this section. Buss, S. R., Krajı́ček, J. & Takeuti, G. (1993), Provably total functions in bounded arithmetic theories Ri3 , Ui2 and V2i , in ‘Arithmetic, Proof Theory, and Computational Complexity (Prague, 1991)’, Vol. 23 of Oxford Logic Guides, Oxford Univ. Press, New York, pp. 116–161. Theorem 15 Let n = |x|. (a) If for any k k k, R32 proves ∃S < 22n ∀C < 2n −2n ∀c < 22n ¬IterBlockRec(S, C, c, x, k) then RSA is vulnerable to quasi-polynomial time based attacks. (b) If k k for any k, R33 proves ∃S < 22n ∀C < 2n −2n ∀c < 22n ¬IterBlockRec(S, C, c, x, k) then RSA is vulnerable to polynomial time in qPLS based attacks. Proof. Both (a) and (b) are proved essentially the same way. By Buss, Krajı́ček, and Takeuti (1993) it is known that R33 is Σb3 conservative over S22 , and by Buss (1990), S32 is Σb2 -conservative over T31 . Similarly, by Buss, Krajı́ček, and Takeuti (1993), R32 is Σb2 -conservative over S31 . Let T be either R32 or k k R33 . Then if T proves ∃S < 22n ∀C < 2n −2n ∀c < 2n 2 ¬IterBlockRec(S, C, c, x, k), then by Theorem 14, T proves mWPHP (PV ) so by Proposition 1, it also proves iWPHP (PV ) and thus iWPHP (FP ). The latter consists of formulas of the form: ∃x < n2 f (x, c) ≥ n ∨ 2 ∃x1 , x2 < n (x1 6= x2 ∧ f (x1 , c) = f (x2 , c)) which are Σb1 -formulas. Hence, by the previously mentioned conservation results, one has in the case of R32 that S31 proves iWPHP (FP ) and in the case of R33 that T31 proves iWPHP (FP ). Using the witnessing arguments used to show the characterizations of Σb1 -definability in these latter theories one can say Buss, S. R. & Krajı́ček, J. (1994), ‘An application of Boolean complexity to separation problems in bounded arithmetic’, Proc. London Math. Soc. (3) 69(1), 1–21. Ferreira, F. (1995), ‘What are the ∀Σb1 -consequences of T12 and T22 ?’, Ann. Pure Appl. Logic 75(12), 79–88. Proof theory, provability logic, and computation (Berne, 1994). Hanika, J. (2004), Search Problems and Bounded Arithmetic, PhD thesis, Charles University. Jeřábek, E. (2004), ‘Dual weak pigeonhole principle, Boolean complexity, and derandomization’, Ann. Pure Appl. Logic 129(1–3), 1–37. URL: doi:10.1016/j.apal.2003.12.003 Johnson, D. S., Papadimitriou, C. H. & Yannakakis, M. (1988), ‘How easy is local search?’, J. Comput. System Sci. 37(1), 79–100. 26th IEEE Conference on Foundations of Computer Science (Portland, OR, 1985). Kannan, R. (1982), ‘Circuit-size lower bounds and nonreducibility to sparse sets’, Inform. and Control 55(1-3), 40–56. Krajı́ček, J. (1995), Bounded Arithmetic, Propositional Logic, and Complexity Theory, Vol. 60 of Encyclopedia of Mathematics and its Applications, Cambridge University Press, Cambridge. Krajı́ček, J. (2004), ‘Dual weak pigeonhole principle, pseudo-surjective functions, and provability of curcuit lower bounds’, J. Symbolic Logic 69(1), 265–286. Krajı́ček, J. & Pudlák, P. (1990), ‘Quantified propositional calculi and fragments of bounded arithmetic’, Z. Math. Logik Grundlag. Math. 36(1), 29–46. Krajı́ček, J. & Pudlák, P. (1998), ‘Some consequences of cryptographical conjectures for S12 and EF’, Inform. and Comput. 140(1), 82–94. Krajı́ček, J., Pudlák, P. & Takeuti, G. (1991), ‘Bounded arithmetic and the polynomial hierarchy’, Ann. Pure Appl. Logic 52(1-2), 143– 153. International Symposium on Mathematical Logic and its Applications (Nagoya, 1988). Paris, J. B., Wilkie, A. J. & Woods, A. R. (1988), ‘Provability of the pigeonhole principle and the existence of infinitely many primes’, J. Symbolic Logic 53(4), 1235–1244. Paris, J. & Wilkie, A. (1985), Counting problems in bounded arithmetic, in ‘Methods in Mathematical Logic (Caracas, 1983)’, Vol. 1130 of Lecture Notes in Math., Springer-Verlag, Berlin, pp. 317–340. Pollett, C. (1997), Arithmetic Theories with Prenex Normal Form Induction, PhD thesis, University of California, San Diego. Pollett, C. (1999), ‘Structure and definability in general bounded arithmetic theories’, Ann. Pure Appl. Logic 100(1-3), 189–245. Razborov, A. A. (1995), Bounded arithmetic and lower bounds in Boolean complexity, in ‘Feasible Mathematics II (Ithaca, NY, 1992)’, Vol. 13 of Progr. Comput. Sci. Appl. Logic, Birkhäuser Boston, Boston, MA, pp. 344–386. Thapen, N. (2002), The Weak Pigeonhole Principle in Models of Bounded Arithmetic, PhD thesis, Oxford University.